Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fetching the keywords and creating queries

aditsss
Motivator
‎07-12-2023 07:08 AM

Hi Team,

Could you please guide how I can fetch the below keywords from raw logs:

2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file  /absin/TRIM.ARCH.D062923.T052525

2023-06-28 10:36:24.064 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /  absin/TRIM.ARCH.D062823.T063718

2023-06-29 09:38:03.308 [INFO ] [pool-2-thread-1] ArchivalProcessor - Processing archival records for file TRIM.ARCH.D062923.T052525

Can someone guide me how can I fetch from raw logs.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 07:20 AM

Hi @aditsss,

you have to use a regex like the following:

| rex "file\s+(?<filename>.*)"

that you can test at https://regex101.com/r/Uc21zy/1

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 07:20 AM

Hi @aditsss,

you have to use a regex like the following:

| rex "file\s+(?<filename>.*)"

that you can test at https://regex101.com/r/Uc21zy/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2023 11:33 PM

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 07:22 AM

@gcusello  could you please provide me the complete query:

My current query is this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 07:26 AM

Hi @aditsss,

please try this

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| table filename

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 08:23 AM

Hi @gcusello 

I want something like this 

finished reading file /absin/TRIM.ARCH.D062923.T052525                  2023-06-29 09:41:53.884

One side it should be this and other side it should be date.

@gcusello  how can we create query for this. Please guide

2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525

Also I don't want tabular format is that possible I can create bar chart.

Current query:

index="abx*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"| rex "file\s+(?<filename>.*)"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 08:26 AM

Hi @aditsss,

please try this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| table filename _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 08:32 AM

Thanks @gcusello 

But I want to create in bar chart format please guide.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 08:36 AM

Hi @aditsss,

let me understand: you have a string in a column and a date in another, how do you want to put them in a chart?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 08:38 AM

@gcusello 

I want string on bar and date down 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 08:40 AM

Hi @aditsss,

if you want a timeline, you have to use the timeline Add-On at https://splunkbase.splunk.com/app/3120

There isn't any other solution.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 08:43 AM

@gcusello 

I just want date down and string in column or bar format.

Can you guide me with timechart

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 08:57 AM

@gcusello 

I tried like this but not getting any result:

 

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
|  timechart span=1d values(filename) AS filename
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 10:18 AM

Hi @gcusello 

I had tried like this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| stats count by filename

I am getting result like this:

filename                                                                                                                                                  count

finished reading file TRIM.ARCH.D062623.T053124                                                1

I want something like this

filename                                                                                                                                                  Date

finished reading fileTRIM.ARCH.D062623.T053124                                      2023-06-29 09:41:53.884

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 11:26 PM

Hi @aditsss,

as I said, in a chart you can insert a count or a value but never a string.

You can eventually have a timechart, but always with a value (a count or a sum) never with a string.

The only way to have a chart is the Timeline add-on.

Otherwise, you can have a table like the one you shared.

ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-12-2023 10:05 AM

@gcusello 

I am trying this query:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "Processing archival records for file "
| rex "file\s+(?<filename>.*)"
| eval filename="Processing archival records for file ".filename
| stats count by filename

I am able to see result like this:

filename                                                                                                                                                     count

Processing archival records for file TRIM.ARCH.D062723.T061108                                 1

I want to see result like this

filename                                                                                                                                                     Date

Processing archival records for file TRIM.ARCH.D062723.T061108                                2023-06-27 09:29:11.022

@gcusello please guide

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New With SOAR 6.3

Register here for our Security Edition Tech Talk on Wednesday, October 2 , 2024  |  11AM–12PM PTTune in to see ...

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...